On 18 March 2010 23:59, J. Roeleveld <jo...@antarean.org> wrote:
> Does this mean that the service-desk of companies are not compliant either?
Hehe, in a way. Social engineering is thankfully(?) outside the scope
of PCI-DSS compliance.
> 1) Check in phonebook for number of VISA credit card service desk
> 2) Call listed number
>
> They then will answer with:
> "Hello, thank you for calling VISA credit card service desk, <insert name>
> speaking, how may I help you?"
>
> Me: Hi, can you please direct me to <insert other name here>
>
> How is this different from:
>
> **
> $ telnet mail.isp.com 25
> Trying 10.1.4.50...
> Connected to mail.isp.com.
> Escape character is '^]'.
> 220 mailer.isp.com ESMTP Postfix
> MAIL TO <user>
> MAIL TO OK
> **
> I guessed the last 2 lines, but I think it shows what I mean? :)
Exactly! Disabling VRFY gains nothing because you can test with RCPT
TO instead. There will always be some debate about the value of this
measure ("why not disable it if we can?" vs. "why *bother* if we don't
have to?) - just ignore it and do whatever has to be done, there are
better things to waste energy on.
